Hi, I noticed that in BackupPC_archiveHost, there are additional places where command strings are build without sufficient quoting. The following patch cures the most common problem - that the output location might contain spaces. Still, this is a very preliminary patch I don't feel well with - anybody who can control outLoc, host, pathnames, or extensions would could run into unexpected quoting problems (...a location name might well contain quotes...) or run shell code injection to execute arbitrary commands as the backuppc user.
Best regards,
Andreas.
--- BackupPC_archiveHost.org 2009-03-14 22:46:53.000000000 +0100
+++ BackupPC_archiveHost 2009-03-14 22:49:24.000000000 +0100
@@ -112,12 +112,12 @@
#
# Output file is a device or a regular file, so don't use split
#
- $cmd .= ">> $outLoc";
- $mesg .= " to $outLoc";
+ $cmd .= ">> \"$outLoc\"";
+ $mesg .= " to \"$outLoc\"";
} else {
mkpath($outLoc) if ( !-d $outLoc );
if ( !-d $outLoc ) {
- print("Error: unable to create output directory $outLoc\n");
+ print("Error: unable to create output directory \"$outLoc\"\n");
exit(1);
}
if ( $splitSize > 0 && -x $splitPath ) {
@@ -147,7 +147,7 @@
if ( -d $outLoc && -x $parPath ) {
if ( $parfile != 0 ) {
print("Running $parPath to create parity files\n");
- my $parCmd = "$parPath c -r$parfile $outLoc/$host.
$bkupNum.tar$fileExt.par2 $outLoc/$host.$bkupNum.tar$fileExt*";
+ my $parCmd = "$parPath c -r$parfile \"$outLoc/$host.
$bkupNum.tar$fileExt.par2\" \"$outLoc/$host.$bkupNum.tar$fileExt\"*";
$ret = system($parCmd);
if ( $ret ) {
print("Executing: $parCmd\n");
signature.asc
Description: This is a digitally signed message part.
